Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FINNISH SUPERVISORY AUTHORITY: the privacy protection of data subject shall be taken into account when it is implemented an electric lock system in a residential building

FINNISH SUPERVISORY AUTHORITY: the privacy protection of data subject shall be taken into account when it is implemented an electric lock system in a residential building

The Office of the Personal Data Protection Authority has ordered to Kamo Plc to modify the personal data processing connected to the electric lock system in compliance with the General Data Protection Regulation. The Data Controller has not kept in mind the legislation’s requirements in the implementation of the system which recollects and stores personal data.

The personal data processing shall be planned with sufficient attention already during the implementation of the electric lock system, because it could be difficult to correct some deficiencies later.

A resident, who has recalled the attention of the Authority, has noticed, after having moved in the building that the structure has an electric lock system in order to register movements of residents. Residents have not been adequately informed in the lock system implemented, but according to the resident, the rental agreement includes only a reference to the website of third, which provides information on the technical implementation of the electric lock system.

Deficiencies in the definition of the legal basis for the personal data processing

According to the controller, the recollection of personal data on the traffic of resident occurs based on a legitimate interest according to the General Data Protection Regulation. The Data Controller has considered that the lessor has a legitimate interest, for example, in the management of access rights and in personal data protection of residents.

Anyway, the Authority consider the basis for the processing as not completely defined.

For example, the data controller has not carried out a balancing test on the criteria of processing which has choose in order to assess if the legitimate interest of the controller dominates on the personal data protection of data subjects. Recipients have not the possibility to reject the processing based on a legitimate interest as regulated by the Law.

It shall be observed the principles of privacy by design and by default and the data minimization

The data controller should have kept in mind the requirements of privacy by design and by default when he has introduced the electric lock system which recollects and stores personal data. For example, the data controller should have assessed if there are other ways, which are less intrusive, in order to reach his purposes.

The Auhtority observes that the data controller has not kept in mind the principle of the storage retention period limitation or the minimization principle arise from the General Data Protection Regulation.

In addition, the Authority considers that the information provided to data subjects were not in compliance with transparence requirements in personal data processing. Based on the provided information, residents should be able to easily receive, for example, the entity of the personal data processing and obtain information on their rights.

The Personal Data Protection Authority has issued a communication to Kamo Plc on the not compliance of data controller’s obligations and an order to rectify the personal data processing operations pursuant to the Privacy Act.

The decision is not definitive and shall be appealed in front of an Administrative Court.

Apulaistietosuojavaltuutetun päätös 4900_182_18

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA 

Recommended to you

Advanced Research